date:20160730

Re: Security update of openssh for wheezy

2016-07-30 Thread Markus Koschany

On 31.07.2016 02:46, Adrian Zaugg wrote:
> 
> Is the security breech also present in openssh of wheezy-backports
> (openssh-server 1:6.6p1-4~bpo70+1, I guess yes because 1.6.0 and 1.6.7
> are affected)?
> 
> Is wheezy-backports in generally supported or not by the LTS Team?
> 
> Thank you for your quick answer!

Hello Adrian,

wheezy-backports is not supported by the LTS team. [1] It is best to
contact the maintainer and request an update.

Regards,

Markus

[1]
https://wiki.debian.org/LTS/FAQ#Who_fixes_security_issues_with_packages_in_wheezy-backports.3F



signature.asc
Description: OpenPGP digital signature

Re: Security update of openssh for wheezy

2016-07-30 Thread Adrian Zaugg


Is the security breech also present in openssh of wheezy-backports
(openssh-server 1:6.6p1-4~bpo70+1, I guess yes because 1.6.0 and 1.6.7
are affected)?

Is wheezy-backports in generally supported or not by the LTS Team?

Thank you for your quick answer!

Regards, Adrian.

On 26.07.16 23:24, Ola Lundqvist wrote:
> Hi OpenSSH Maintainers and LTS team
> 
> I have prepared a security update of openssh for wheezy.
> 
> For more information about the issue solved see here:
> https://security-tracker.debian.org/tracker/CVE-2016-6210
> I have applied the same patch as in sid and it applied fine, except that
> I had to change a call to a clear memory function to a loop instead. ...or 
> This function is not available in wheezy.
> 
> You can find the debdiff here:
> http://apt.inguza.net/wheezy-security/openssh/CVE-2016-6210.debdiff
> 
> You can also find the packages that I intend to upload here:
> http://apt.inguza.net/wheezy-security/openssh/
> 
> I have regression tested and I could login still, and use the client too.
> I could not reproduce the problem good enough to tell for sure that they
> are solved. However they should be solved just as good as in sid and jessie.
> 
> If no-one objects I will upload this package in four days, that is on
> Saturday.
> 
> Best regards
> 
> // Ola

lovely

2016-07-30 Thread Leslie S Satenstein

Hey! 

Have you  seen something as lovely  as that stuff? I swear you  haven't, just 
take a look here 

Pardon my monkey thumbs, Leslie S Satenstein

Re: Wheezy update of libreoffice?

2016-07-30 Thread Guido Günther

Hi,

Just a random comment:

On Sat, Jul 30, 2016 at 09:45:51PM +0200, Balint Reczey wrote:
>  Priority: optional
>  Maintainer: Debian LibreOffice Maintainers 
> 
>  Uploaders: Rene Engelhard 
> -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | 
> flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, 
> libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], 
> zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, 
> libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, 
> xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, 
> libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips 
> mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], 
> libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), 
> libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) 
> [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, 
> libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), 
> libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, 
> libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 
> 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 
> 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips 
> mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], 
> gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa 
> kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa 
> kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), 
> g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, 
> libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 
> 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], 
> libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java 
> (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], 
> libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, 
> javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), 
> libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 
> 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), 
> libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), 
> libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), 
> libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev 
> (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev 
> (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), 
> libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 
> 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 
> 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), 
> libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, 
> libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), 
> libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev
> +Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | 
> flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, 
> libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], 
> zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, 
> libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, 
> xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, 
> libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips 
> mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], 
> libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), 
> libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 
> 1.3.6-1~deb7u2) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), 
> libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 
> 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, 
> libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 
> 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 
> 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips 
> mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64],

Re: Wheezy update of libreoffice?

2016-07-30 Thread Balint Reczey

Hi Rene,

On 07/28/2016 08:36 PM, Rene Engelhard wrote:
> Hi,
> 
> On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote:
>> Thank you for preparing the patch.
>> I'm building it right now and would like to test it if you have not done so 
>> yet.
>> After it is tested feel free to upload it.
> 
> Then it's best you mergechanges and upload after testing, I only built the
> source package, I didn't build it, so if you have a build...

It took some time to get it built due to libgraphite2-dev FTBFS-ing
libreoffice but the attached patch for graphite2 solves that.

A binary build was needed anyway since wheezy-security does not accept
source-only uploads AFAIK.

The fix for the vulnerability works and a the fixed libreoffice can
still parse a valid RTF [1].

Please see the final proposed patch for libreoffice attached, too.

The binary packages for amd64 will also be available for testing here
when the upload is finished:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

I plan uploading both fixed packages tomorrow.

Cheers,
Balint

[1] http://thewalter.net/stef/software/rtfx/sample.rtf

diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog
--- graphite2-1.3.6/debian/changelog	2016-03-09 12:12:34.0 +0100
+++ graphite2-1.3.6/debian/changelog	2016-07-29 19:30:16.0 +0200
@@ -1,3 +1,10 @@
+graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium
+
+  * LTS Team upload
+  * Fix .shlibs file to let reverse depenencies build
+
+ -- Balint Reczey   Fri, 29 Jul 2016 19:29:22 +0200
+
 graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high
 
   * rebuild for oldstable-security 
diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs
--- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-03-09 12:09:32.0 +0100
+++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-07-30 00:38:31.0 +0200
@@ -1 +1 @@
-libgraphite2	3	libgraphite2-2.0.0
+libgraphite2	2.0.0	libgraphite2-2.0.0 (>= 1.3.6-1~)
diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog
--- libreoffice-3.5.4+dfsg2/debian/changelog	2016-02-11 18:15:51.0 +0100
+++ libreoffice-3.5.4+dfsg2/debian/changelog	2016-07-30 12:58:16.0 +0200
@@ -1,3 +1,17 @@
+libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high
+
+  [ Rene Engelhard ]
+  * merge from Ubuntu:
+- SECURITY UPDATE: Denial of service and possible arbitrary code execution
+  via a crafted RTF file
+  + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free
+  + CVE-2016-4324
+
+  [ Balint Reczey ]
+  * depend on libgraphite2-dev version which has working shlibs file
+
+ -- Balint Reczey   Sat, 30 Jul 2016 12:58:14 +0200
+
 libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high
 
   * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro
diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control
--- libreoffice-3.5.4+dfsg2/debian/control	2013-05-29 23:22:11.0 +0200
+++ libreoffice-3.5.4+dfsg2/debian/control	2016-07-30 12:52:29.0 +0200
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian LibreOffice Maintainers 
 Uploaders: Rene Engelhard 
-Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libxml

Re: xen_4.1.6.1-1+deb7u2.dsc

2016-07-30 Thread Guido Günther

On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote:
> Hi Guido
> 
> On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote:
> > * the complete removal of tools/ioemu-qemu-xen - guess this was unused
> >   anyway since quiet some time, right?
> 
> I have no idea and found not one reference to that folder.
> 
> > * there are some XSA related patches in debian/patches. Will these move
> >   into
> >   https://github.com/credativ/xen-lts/
> >   eventually?
> 
> I think I forgot to delete some.  The rest most likely won't as it is
> either qemu or libxl.
> 
> > If Brian has no objections feel free to upload, Please let me know once
> > done so I can then release the DLA (in case you don't want to handle it
> > youself).
> 
> I have no idea how to do that yet.  So feel free.

Thanks for uploading! I've put out the DSA and marked XSA-166 as fixed
in the tracker (since it has no CVE assigned). The tracker lists these

CVE-2016-5403   virtio: unbounded memory allocation on host via guest leading 
to DoS
CVE-2016-5242   The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x 
through 4.6.x ...
CVE-2016-4963   The libxl device-handling in Xen through 4.6.x allows local 
guest OS ...
CVE-2016-4962   The libxl device-handling in Xen 4.6.x and earlier allows local 
OS ...

as affecting Wheezy. I've marked CVE-2016-5242 as not-affected since we
don't have ARM xen in wheezy. What about the other ones?

Cheers,
 -- Guido

Re: Wheezy update of twisted?

2016-07-30 Thread Free Ekanayaka

Hello,

I'm going on vacation shortly, and likely won't have time to address the
bug timely enough. So unless Matthias has cycles to work on it, I'd say yes
go ahead please. Thanks

Free

On 28 July 2016 at 22:37, Thorsten Alteholz  wrote:

> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of twisted:
> https://security-tracker.debian.org/tracker/CVE-2016-1000111
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> Thank you very much.
>
> Thorsten Alteholz,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
>
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>
>
>

Re: Security update of openssh for wheezy

Re: Security update of openssh for wheezy

lovely

Re: Wheezy update of libreoffice?

Re: Wheezy update of libreoffice?

Re: xen_4.1.6.1-1+deb7u2.dsc

Re: Wheezy update of twisted?

7 matches

Site Navigation

Mail list logo

Footer information